Enter your organisation details
Introduction
This Audit Manual describes the working practices of the Internal Audit Function (IAF) of ORGANISATION NAME. The manual has been prepared in conformity with the Global Internal Audit Standards (GIAS) of the Institute of Internal Auditors (IIA) and supplements the Internal Audit Charter (CHARTER REFERENCE).
Where the charter establishes the position, mandate and independence of the IAF, this manual describes how the IAF carries out its activities in practice: from strategy and planning to reporting, follow-up and quality assurance.
The audit approach applied is based on METHODOLOGY. This manual takes effect on DD-MM-YYYY and is reviewed annually.
Strategy and annual planning
The CAE prepares a risk-based internal audit plan each year. This plan is based on:
- A current risk assessment of the audit universe (all auditable entities of ORGANISATION NAME);
- Input from the SUPERVISORY BOARD / BOARD, the AUDIT COMMITTEE and senior management;
- The strategic objectives of the organisation;
- Results of prior audits and outstanding recommendations.
The annual plan includes mandatory focus areas in accordance with GIAS Standard 9.2: information technology and cybersecurity, fraud risks, and compliance with laws and regulations.
The audit plan is submitted to the AUDIT COMMITTEE for approval. Material deviations from the approved plan are likewise submitted for approval. An interim revision is performed when significant changes occur in the organisation or its risk profile.
Engagement preparation
Every audit engagement starts with a structured preparation phase. The CAE or designated senior auditor prepares an engagement letter covering, at a minimum: objectives, scope, audit period, criteria framework, planned duration and the composition of the audit team.
Independence and objectivity
Before the start of each engagement, all assigned auditors confirm their independence and objectivity. In the event of an actual or potential conflict of interest, an alternative auditor is assigned.
Risk assessment and work programme
Based on the engagement scope, the audit team performs an engagement-specific risk assessment. The outcomes form the basis of the work programme: the structured description of procedures to be performed, criteria framework, required information sources and evaluation criteria.
Consultation with the auditee
The CAE conducts an opening meeting with the responsible manager (auditee) before each engagement to explain the objective, scope and approach, and to reach agreement on the timeline. Material objections are escalated in accordance with Section 8.
Performing the engagement
Gathering information
The audit team gathers information using the OIE approach: Observation (direct observation of processes and activities), Inquiry (interviews with staff and management) and Examination (analysis of documents, systems and data). Information is assessed for reliability, completeness and relevance.
Formulating findings
Each finding is documented with: description of the condition (what was found?), the criteria (what should have been?), the root cause, the consequence/risk, and a recommendation addressing the root cause. Findings are prioritised based on risk relevance (high / medium / low).
Fraud risks
The audit team remains alert to indicators of fraud or unethical conduct throughout the engagement. When a concrete suspicion of fraud arises, the CAE is informed immediately, and subsequently determines whether and how to escalate.
Supervision
The CAE or designated supervising auditor monitors the quality and progress of the fieldwork. Significant deviations from the work programme are documented and submitted for approval.
Engagement documentation
The IAF maintains an audit file for each engagement containing sufficient evidence to support and reconstruct conclusions. The file includes, at a minimum: the engagement letter, risk assessment, work programme, working papers, interview notes, and the final report including the management response.
Audit files are retained for RETENTION PERIOD after completion of the engagement, in accordance with legal requirements and the retention policy of ORGANISATION NAME. Access is restricted to IAF members and authorised regulators. Audit files are not disclosed to external parties without the explicit consent of the CAE.
Engagement reporting
Draft report and contradictory review
After completing the fieldwork, the audit team prepares a draft report. This report is submitted for review to the auditee and responsible management (contradictory review). The auditee is given the opportunity to correct factual inaccuracies and to formulate a management response to each recommendation.
Final report
After processing feedback, the CAE finalises the report. The report contains: background and objective, scope and methodology, overall audit opinion, findings with prioritisation, recommendations, management responses and an action tracking form (ATF).
Distribution
The final report is distributed to: responsible management, the CAE (filing), the AUDIT COMMITTEE (significant findings or upon request) and the SUPERVISORY BOARD (periodic reporting). CAE (filing) and the AUDIT COMMITTEE of the BOARD OF DIRECTORS.
Errors and omissions / Non-conformance
If a material error or omission in the report is identified after publication, the CAE issues a corrected report and informs all recipients. Non-conformance with the GIAS is documented, communicated to the AUDIT COMMITTEE and included in the QAIP reporting.
Follow-up and monitoring of recommendations
The IAF monitors the implementation of recommendations through the Action Tracking Form (ATF). Management is responsible for implementation; the IAF confirms execution and effectiveness.
The CAE reports quarterly to the AUDIT COMMITTEE on the status of outstanding recommendations, including overdue and unimplemented items. Recommendations not implemented by the agreed deadline are escalated in accordance with Section 8.
Escalation and risk acceptance
When management decides not to implement a recommendation, or to implement it only partially, the CAE documents this as formal risk acceptance. The risk acceptance includes: description of the residual risk, the name of the accepting manager and the date. For risks exceeding the risk appetite of ORGANISATION NAME, the following escalation ladder applies:
- Discussion with the responsible manager;
- Escalation to senior management;
- Escalation to the AUDIT COMMITTEE;
- If necessary, notification to the full supervisory body.
The CAE records all risk acceptances and escalation steps in the audit file.
Periodic reporting
Quarterly reporting
The CAE reports quarterly to the AUDIT COMMITTEE on: progress of the audit plan (% completed, expected completion), significant findings, status of outstanding recommendations, capacity and budget variances, and any impairments of independence.
Annual opinion (Overall Opinion)
The CAE issues an annual overall opinion on the effectiveness of governance, risk management and internal control of ORGANISATION NAME. This opinion is based on the combined results of all engagements performed during the year.
Thematic reports
In addition to periodic reporting, the CAE may issue thematic reports on cross-cutting or strategic risks, at the request of the AUDIT COMMITTEE or on own initiative.
Advisory services
In addition to assurance services, the IAF provides advisory services to the management of ORGANISATION NAME. The following rules apply to advisory services:
- The IAF does not assume management responsibility;
- Advisory services must not impair the objectivity of the IAF;
- When a subsequent assurance engagement covers the same subject, the CAE discloses the previously rendered advisory service;
- The CAE informs the AUDIT COMMITTEE of significant advisory services.
Resource and budget management
Budget
The CAE prepares an annual budget proposal aligned with the audit plan. The budget is approved by the AUDIT COMMITTEE. Material variances are reported.
Staff and competencies
The IAF possesses the knowledge, skills and other competencies required to execute the audit plan. The CAE promotes the continuing professional development of all staff, including certification (CIA and sector-specific qualifications). When specific expertise is lacking for a particular engagement, co-sourcing or external expertise is engaged.
Technology and tools
The IAF uses appropriate audit tools for planning, file management, data analysis and reporting. The CAE periodically assesses whether the available technology remains fit for the mandate.
Quality assurance and improvement (QAIP)
Ongoing monitoring
Engagement quality is continuously monitored through supervision (Section 4), file reviews and satisfaction surveys of auditees after each engagement.
Self-assessment
The CAE performs an annual internal self-assessment. The outcomes, together with conformity with the GIAS and the achievement of performance targets, are reported to the AUDIT COMMITTEE.
Performance measurement and KPIs
The IAF measures its performance against KPIs approved annually by the AUDIT COMMITTEE. Minimum indicators: audit plan completion (%), average engagement duration, auditee satisfaction score, recommendation follow-up rate and GIAS conformity opinion.
External quality assessment (EQA)
At least once every five years, the IAF commissions an external quality assessment by an independent, qualified party. The outcomes are reported to the AUDIT COMMITTEE. In the event of a significant non-conformity opinion, the CAE prepares an improvement plan.
Coordination with other assurance providers
The CAE coordinates the work of the IAF with that of the external auditor, the risk management function, the compliance function and other internal or external assurance providers. The objectives are: reducing duplication of effort, ensuring comprehensive risk coverage, and increasing the combined added value.
The CAE assesses the extent to which reliance can be placed on the work of other providers (GIAS Standard 9.5) and documents this assessment in the audit file.
Appendix A — GIAS Cross-Reference Table
Per section of this manual, the relevant GIAS principles, standards and DO requirement numbers. ⚠ = critical requirement.
| Manual section | Principle | Standard | DO requirement nos. | Critical |
|---|---|---|---|---|
| 1 — Introduction | PR6 Authorised by the board | 6.2 Internal audit charter | 1, 4 | ⚠ |
| 1 — Introduction | PR9 Systematic and risk-based approach | 9.3 Engagement objective consultation | 1 | ⚠ |
| 2 — Strategy & plan | PR9 Systematic and risk-based approach | 9.1 Engagement portfolio | 1, 2 | ⚠ |
| 2 — Strategy & plan | PR9 Systematic and risk-based approach | 9.2 Risk-based planning | 1, 2, 3 | ⚠ |
| 2 — Strategy & plan | PR9 Systematic and risk-based approach | 9.4 Internal audit plan | 1, 2, 3, 4 | ⚠ |
| 3 — Preparation | PR13 Planned and well-managed | 13.1 Planning objectives | 1, 2 | ⚠ |
| 3 — Preparation | PR13 Planned and well-managed | 13.2 Engagement briefing and scope | 1, 2, 3 | ⚠ |
| 3 — Preparation | PR13 Planned and well-managed | 13.3 Risk assessment | 1, 2 | ⚠ |
| 3 — Preparation | PR13 Planned and well-managed | 13.4 Work programme | 1, 2 | ⚠ |
| 4 — Fieldwork | PR14 Communicating findings | 14.1 Gathering information | 1, 2 | ⚠ |
| 4 — Fieldwork | PR14 Communicating findings | 14.2 Analysis and evaluation | 1 | ⚠ |
| 4 — Fieldwork | PR14 Communicating findings | 14.3 Identifying findings | 1, 2, 3 | ⚠ |
| 4 — Fieldwork | PR14 Communicating findings | 14.4 Recommendations | 1, 2 | ⚠ |
| 5 — Documentation | PR14 Communicating findings | 14.6 Engagement documentation | 1, 2, 3, 4, 5 | ⚠ |
| 6 — Reporting | PR15 Communicating results | 15.1 Final communication | 1, 2, 3, 4, 5 | ⚠ |
| 6 — Reporting | PR11 Communicating conclusions | 11.4 Quality of communication | 1, 2, 3 | ⚠ |
| 7 — Follow-up | PR15 Communicating results | 15.2 Confirming implementation of recommendations | 1, 2, 3 | ⚠ |
| 8 — Escalation | PR11 Communicating conclusions | 11.5 Escalation of significant matters | 1, 2 | ⚠ |
| 9 — Reporting structure | PR11 Communicating conclusions | 11.3 Reporting to the board and senior management | 1, 2, 3 | ⚠ |
| 10 — Advisory services | PR6 Authorised by the board | 6.1 Internal audit mandate | 1 | ⚠ |
| 10 — Advisory services | PR9 Systematic and risk-based approach | 9.1 Engagement portfolio | 1 | ⚠ |
| 11 — Resources | PR10 Well-managed resources | 10.1 Resources | 1, 2 | ⚠ |
| 11 — Resources | PR10 Well-managed resources | 10.2 Staff | 1, 2, 3 | ⚠ |
| 11 — Resources | PR10 Well-managed resources | 10.3 Technology and tools | 1 | ⚠ |
| 12 — QAIP | PR12 Quality assurance and improvement | 12.1 Internal quality assessment | 1, 2, 3 | ⚠ |
| 12 — QAIP | PR12 Quality assurance and improvement | 12.2 Performance measurement | 1, 2, 3 | ⚠ |
| 12 — QAIP | PR12 Quality assurance and improvement | 12.3 Engagement supervision | 1, 2 | ⚠ |
| 12 — QAIP | PR8 Under board oversight | 8.4 External quality assessment | 1, 2, 3 | ⚠ |
| 13 — Coordination | PR9 Systematic and risk-based approach | 9.5 Coordination with other assurance | 1 | ⚠ |
Appendix B — Preparation Checklist
Use this checklist at the start of every audit engagement. Blockers (marked in red) must be cleared before fieldwork can begin.
| # | Topic | Question | Evidence | GIAS | Weight |
|---|---|---|---|---|---|
| 1 | Independence and objectivity of the audit team ⚠ Blocker | Is the audit team (auditors and CAE) independent and free from actual or perceived conflicts of interest with respect to the audit object? | Signed independence confirmations; absence of past involvement with audit object; documentation of team rotation. Independent: not responsible (currently or previously) for the audit object, not involved in an advisory engagement in the past 5 years, no limitations imposed on scope or access to information / persons / systems, etc. Objective: weigh/discuss the risk of bias (regarding stakeholders / controls), be aware of any preconceptions about persons / situations so the team / reviewer can apply additional scrutiny. | 2.3 | 3 |
| 2 | Competencies and expertise of auditors | Does the audit team possess the required competencies for this audit? What is the role allocation? | Audit team profile; training and experience documentation; competency-audit fit assessment. Appropriate and sufficient resources based on the nature and complexity of each engagement, the time constraints and the available resources. | 3.1 | 3 |
| 3 | Availability of required knowledge, skills and capacity | Does the team have sufficient knowledge, experience and resources to carry out the audit professionally? | Skills matrix, team CVs, training logs, evidence of external consultants or experts contracted. | 13.5 | 2 |
| 4 | Organising internal quality review | Has an independent internal review been organised and is the reviewer sufficiently qualified? | Internal review assignment in planning; review checklist template; reviewer's name and independence confirmation. | 12.2 | 3 |
| 5 | Risk analysis of the audit object | Have the relevant risks for the audit object, including fraud and non-compliance risks, been identified and analysed? | Risk assessment worksheet, fraud risk considerations, risk register excerpts, stakeholder interviews. Document outcomes (risks) in the engagement plan or separately in the audit file. | 13.2 | 3 |
| 6 | Explicitly addressing ethical/fraud risks | Have ethical and fraud risks been identified and included in the risk analysis and planning of the audit? | Ethical risk assessment notes; stakeholder interviews; fraud/ethics checklist in planning. | 1.2 | 2 |
| 7 | Explicitly addressing non-compliance risks | Have the relevant laws and regulations been identified and has non-compliance been included in the risk analysis and planning of the audit? | Risk analysis notes, stakeholder interviews. | 13.2 | 2 |
| 8 | Describing the rationale | What is the rationale for the audit? For example, it originates from the annual plan, but also why this audit was included in the annual plan. | Consider focus areas, risks, weaknesses and developments/changes. | 1 | |
| 9 | Preparing a high-level schedule | Describe (e.g. which quarter) the audit is expected to be performed. Also determine whether there are factors influencing the schedule, e.g. holiday periods. | 1 | ||
| 10 | Relevant developments or outstanding items | What developments are relevant to include in the plan? Are there known vulnerabilities/issues and are there any outstanding actions (audit findings)? | 1 |
| # | Topic | Question | Evidence | GIAS | Weight |
|---|---|---|---|---|---|
| 1 | Establishing audit objectives and scope | Have the objectives and scope of the audit been established in line with the purpose and organisational objectives? | Documented engagement objectives and scope in the audit planning file; approved audit notification letter. | 13.3 | 3 |
| 2 | Identifying the auditee | Does the plan describe who the auditee is in relation to the subject? | 1 | ||
| 3 | Confirming agreements with auditee via engagement plan | Have the agreements with the auditee regarding the engagement been documented and confirmed in advance? | Audit announcement email, signed engagement letter, documented scope confirmation. Document outcomes (agreements/confirmation), e.g. email confirming the engagement plan or details separately in the audit file. | 13.4 | 2 |
| 4 | Preparing the (audit) plan | Has an (audit) plan been prepared in which the activities are linked to the objectives and scope? | Approved work program; mapping of procedures to objectives; audit planning memo. The IAF does not use detailed work programmes prescribing every audit activity in advance. For audits, an audit plan is prepared; for other engagements, a brief engagement confirmation or approach memo may suffice. In this checklist we refer to "(audit) plan". | 13.6 | 3 |
| 5 | Engagement sponsor | Does the plan describe who the engagement sponsor is for this audit? | 1 | ||
| 6 | Preparing the criteria framework | Has a sufficient (specific and testable) criteria framework been prepared for the audit (covering at least the key risks or process steps/project phases)? | Required for audits; for other engagements, this depends on the agreed scope. The term 'work program' is not translated as a rigid set of procedures, but reflects the preparatory work performed and communicated (via the audit plan/engagement plan and criteria framework) to achieve/answer the objectives and audit questions within scope. | 13.6 | 3 |
| 7 | Incorporating topical requirements in the criteria framework | Is a relevant Topical Requirements document available for this subject? See: https://www.theiia.org/en/standards/2024-standards/topical-requirements/ | Mandatory element within the broader IPPF. | 2 | |
| 8 | Identifying stakeholders | Is it clear which other stakeholders are relevant for obtaining the right information and have these individuals been included in the audit plan? | 1 | ||
| 9 | Aligning with stakeholders | Has alignment been reached with stakeholders on the purpose, scope, timing and responsibilities of the audit? | Records of communication with sponsor; meeting notes or emails confirming agreement on purpose, scope, outcomes, responsibilities. Consider specific enabling / constraining factors for this engagement and their impact on stakeholder alignment and the engagement plan. | 13.1 | 2 |
| 10 | Detailed schedule | Does the plan contain a detailed schedule (e.g. a weekly Gantt chart) and are the different phases and deliverables included? | 1 | ||
| 11 | Aligning risk analysis with auditee | In the case of an audit: has the auditee's assessment of the effectiveness of control measures (gross vs. net risk) over which assurance is sought been documented? | The manual's preparation phase calls for making an independent risk assessment and documenting the auditee's assessment of the effectiveness of control measures (gross vs. net risk) over which assurance is sought. Typically documented using a heat chart. | 2 | |
| 12 | Aligning criteria framework with auditee | Has the (draft audit) plan including the criteria framework been aligned with the auditee? | Document this, e.g. by email or in the file (OneNote). Verify that the auditee is sufficiently familiar with the intended criteria and that those criteria genuinely match the auditee's view on management control. | 2 | |
| 13 | Aligning criteria framework with controller | Has the (draft audit) plan including the criteria framework been aligned with the controller? | Document this, e.g. by email or in the file (OneNote). (Required for audits; for other engagements, explain why no alignment took place if applicable.) | 2 | |
| 14 | Alignment with Privacy Officer / DPO | For a privacy audit, has the report been aligned with the Privacy Officer and the Data Protection Officer? | Document this, e.g. by email or in the file (OneNote). Alignment with the DPO is required for privacy audits; for other privacy engagements, explain why no alignment took place if applicable. | 1 | |
| 15 | Communicating IIA compliance | Standard text: has it been considered to include the statement "In conformance with the Global Internal Audit Standards"? | 4.1 | 1 | |
| 16 | Review of the (audit) plan | Has the (audit) plan been reviewed and are all review comments resolved? | (Perform review demonstrably: track changes in digital document or scan annotations on hard copy.) | 12.3 | 3 |
| 17 | Sending the (audit) plan | Has the final (audit) plan been sent to at least the engagement sponsor and the auditees? | 13.1 | 2 |
Appendix C — Fieldwork Checklist
Use during the fieldwork phase.
| # | Topic | Question | Evidence | GIAS | Weight |
|---|---|---|---|---|---|
| 1 | Timely escalation of issues or deviations from the plan | Were deficiencies and bottlenecks during fieldwork reported to relevant stakeholders and the CAE in a timely manner? | Escalation logs; issue memos; notifications to senior management. For significant deficiencies, the CAE informs the auditee and engagement sponsor on an interim basis. This prevents surprises when discussing the draft audit report. The engagement sponsor is also informed of any delays in progress. Ensure that the engagement sponsor remains informed of delays or noteworthy developments throughout the audit. Ensure that new expectations or developments are shared with you so they can still be addressed. | 14.5 | 2 |
| 2 | Gathering and analysing information | Was sufficient and relevant information gathered and analysed using an appropriate method? | Interview notes; data extracts; observation logs; collected documentation. Workpapers; audit file index; document review notes. The IAF applies the DIE approach (see manual for the approach and what to document when testing the design, implementation and/or effectiveness of controls). The IAF does not perform root cause analyses as standard practice (as those constitute different types of investigations), but the information gathered must be sufficient to support the findings. | 14.1 | 3 |
| 3 | Sufficient and accurate documentation of work performed | Were the work performed, analyses and findings adequately documented? | Interview notes; data extracts; observation logs; collected documentation. Workpapers; audit file index; document review notes. The IAF applies the DIE approach (see manual for the approach and what to document when testing the design, implementation and/or effectiveness of controls). The IAF does not perform root cause analyses as standard practice (as those constitute different types of investigations), but the information gathered must be sufficient to support the findings. | 14.2 | 3 |
| 4 | Supporting documentation | Do findings based on documentation include correct references to the audit file? | Analysis summaries; root cause analysis charts; audit matrices. If external parties were engaged, ensure their working papers are also included in the audit file. | 14.6 | 3 |
| 5 | Conclusion/score ⚠ Blocker | Do all criteria have a conclusion/score with clear supporting narrative? | Evaluation tables; audit evidence comparisons; deviation logs. Ensure that a third party (e.g. reviewer) can clearly understand how the conclusion/scores per criterion were constructed. | 14.3 | 3 |
| 6 | Validating findings with the auditee | Were significant findings discussed or verified with the relevant stakeholders? | Meeting notes; confirmation emails from auditee; validation documents. To ensure that the information received is correctly translated into findings, the findings per criterion are discussed with the responsible person (typically via email). | 14.4 | 3 |
| 7 | Quality of documentation | Is the documentation of work performed, findings and conclusions structured so that an independent third party (e.g. reviewer) can reproduce and understand the audit? | Review notes, file structure with version control, work programmes with references, reviewer feedback | 14.6 | 2 |
| 8 | No unnecessary documentation in the file | Have unused documents been removed from the file or placed in a separate "other" folder (e.g. background information)? | 1 | ||
| 9 | Alignment on deviations from the audit plan/criteria framework | Were any changes to the approach made after the review of the audit plan / criteria framework discussed with the reviewer? | 2 |
Appendix D — Completion Checklist
Use during the completion phase. Blockers prevent publication of the final report.
| # | Topic | Question | Evidence | GIAS | Weight |
|---|---|---|---|---|---|
| 1 | Content | Is the draft report complete, accurate, readable, balanced (positive and negative points), and do the conclusions and key findings align with the objective and scope from the audit plan? | Draft report, review notes, correction logs, reviewer comments processed in the file | 11.3 | 3 |
| 2 | Recommendations | Are recommendations logically derived from findings, feasible and realistic (SMART where possible)? | Draft action plan tables, proposed improvement measures, feasibility justification | 14.4 | 3 |
| 3 | Draft report: structure and consistency with audit plan | Is the report consistent with the audit plan? Does it include the objective and scope? | 15.1 | 2 | |
| 4 | Disclosure of noteworthy matters | Were noteworthy matters or deviations in the engagement or fieldwork (e.g. change in scope, uncertainties, imposed limitations) identified? | 11.4 | 2 | |
| 5 | Conclusion | Does the report contain a conclusion that fully addresses the original objective? | 14.5 | 3 | |
| 6 | Accuracy and consistency | Is the final report consistent with the audit file, and are any changes compared to the draft substantiated? | Final report, change log compared to draft, explanation of deviations in the file | 11.4 | 2 |
| 7 | Performed in conformance with GIAS | Was it considered to include the statement "In conformance with the Global Internal Audit Standards"? | The final engagement communication may include a statement that the engagement was performed in conformance with the Global Internal Audit Standards, but only if this is supported by the results of engagement supervision and the quality assurance and improvement program. | 1 | |
| 8 | Ethics and objectivity | Were there no objectivity or independence impairments throughout the engagement, and were any impairments fully and transparently documented? | 2.3 | 2 | |
| 9 | Due professional care | Was the audit performed with sufficient depth and diligence appropriate to the risk and complexity? | 4.1 | 2 | |
| 10 | Distribution restrictions | Does the report state that it may not be distributed without approval from the engagement sponsor, the responsible director, responsible manager or Internal Audit, unless the engagement sponsor considers this unnecessary? | 1 | ||
| 11 | Alignment with stakeholders (if applicable) | Was the draft report, where relevant, discussed with the engagement sponsor, DPO/privacy officer (privacy audits) or other designated stakeholders? | Emails with engagement sponsor/DPO/privacy officer, notes from alignment meetings | 2 | |
| 12 | Auditee response | Was the draft report discussed with the auditee for their formal response, and was feedback demonstrably incorporated? | 15.1 | 3 | |
| 13 | Indicators of fraud | Were there any indicators of fraud, and if so, was this included in the report or verbally discussed with the engagement sponsor and the corporate control manager? | 2 | ||
| 14 | Disagreement | Is there a disagreement between the auditee / process owner and the (lead) auditor? | 2 | ||
| 15 | Disagreement | Is there a disagreement between the (lead) auditor and the reviewer? | 2 | ||
| 16 | Quality review | Was the internal quality review performed and documented sufficiently throughout the audit? | 12.1 | 3 |
| # | Topic | Question | Evidence | GIAS | Weight |
|---|---|---|---|---|---|
| 1 | Management response | Has the management response been included in the audit report and/or file (if applicable)? | 2 | ||
| 2 | Completeness of comment resolution | Have all comments/questions received on the draft report been addressed, and is the resolution documented in the file? | 2 | ||
| 3 | Unchanged conclusion | Has the conclusion in the final report remained unchanged compared to the initial draft, and if not, does the file document the rationale for the change? | 2 | ||
| 4 | CAE approval ⚠ Blocker | Has the final report been formally approved by the CAE, thereby placing it under the CAE's ownership, before it was communicated or distributed to stakeholders? | CAE approval email, signed report, workflow confirmation | 11.3 | 3 |
| 5 | Distribution of the final report | Was the final report distributed to all relevant stakeholders in a timely and complete manner in accordance with the manual, and is proof of delivery available? | Distribution list, dispatch logs, email with timestamp | 15.1 | 2 |
| 6 | Scheduling at Executive Board | Has the final report been scheduled for the Executive Board agenda (and is it known that the relevant manager may attend the Executive Board discussion)? Note: for privacy audits, include the DPO's response in the Executive Board agenda item. | 1 |
| # | Topic | Question | Evidence | GIAS | Weight |
|---|---|---|---|---|---|
| 1 | Action Tracking Form (ATF) | Have all findings been translated into an ATF containing at minimum: management action, action owner, deadline? And is the ATF consistent with the report? | ATF, Executive Board agenda item, SMART actions included, confirmation of ATF dispatch | 14.4 | 3 |
| 2 | Detailed findings underlying the findings listed in the ATF traceable? | Does the agenda item state whether the ATF contains all findings or a condensed version of the key elements from the final report? | 15.1 | 2 | |
| 3 | Management actions in ATF | Has the follow-up and monitoring of action plans been ensured (through Executive Board decision-making)? | Follow-up logs, implementation confirmations from action owners, monitoring dashboards | 15.2 | 2 |
| 4 | Distribution of the final ATF | Was the ATF sent to the distribution list after discussion at the Executive Board? | 2 | ||
| 5 | Archiving of documentation | Have the final report, ATF and supporting audit documentation been archived securely, completely and accessibly? | Archiving log, file folder with access controls, version control, backup confirmation | 14.6 | 2 |